Exercise 21: Shopping cart specification

Develop the class diagram for the following shopping cart specifications:

A shoppingCart object is associated with only one creditCard and customer and to items in itemToBuy object. Persistent customer information such as name, billing address, delivery address, e-mail address and credit rating is stored in the customer object. The credit card object is associated with a frequentShopper discount object, if the credit rating for the customer is good. The customer can make or cancel orders as well as add and delete items to the shopping cart product. The credit card object contains the secure method for checking that the charge is authentic.

Shopping cart class diagram:

Exercise 20: Modeling with UML

Use Case, Class, Sequence, Collaboration, State chart, Activity, Component and Deployment diagrams are used in UML. Describe each of the eight (8) main diagrams used in UML.

Use Case diagram
Use cases are used in requirements elicitation and system analysis stages in a project. It uses to represent the functionality of the system. Use cases focus on the behavior of the system in an external point of view. It creates a visible result for an actor to describe a function provided by the system. In the definition of the boundary of the system, it identifies actors and use cases results. It differntiates the tasks accomplished by the system and the tasks accomplished by the environment. The actors are outside the boundary of the system, and the use cases are resided inside the boundary of the system (Bruegge & Butoit, 2004).

The use case diagram below describe the functionality of a simple watch system. the WatchUser actor may either consult the time on her watch with the ReadTime or SetTime use cases. However, only the WatchRepairPerson actor can change the battery of the watch (with the ChangeBattery use case):


Class diagram
Class diagram is used to describe the structure of the system. Class is abstract, specify the common structure and behavior of a set of object. An object is an instance of a class that is created, modified and destroyed during the execution of the system. Class diagram describe the system in terms of objects, class, attributes, operations and their association (Bruegge & Butoit, 2004).

The class diagram below describe the elements of all the watches of the SimpleWatch class. These watch objects all have an association to an object of the PushButton class, an object of the Display class, an object of the Time class and an object of the Battery class. The numbers on the ends of associations denote the number of links each SimpleWatch object can have with an object of a given class:


Sequence diagram
The sequence diagram also called interaction diagrams. It is used to formalize the dynamic behavior of the system and to visualize the communication between objects. It is useful for identifying additional objects that participate in the use cases. It also represents the interactions that take place among objects. It focuses on the messages exchanged between objects as a result of external events created by actors (Bruegge & Butoit, 2004).

The below sequence diagram for the SetTime use case of the SimpleWatch system. The left most column is the WatchUser actor who initates the use case. Labeled arrows represent stimuli that an actor or an object sends to other objects:


Collaboration diagram
Collaboration diagram describes the same information as sequence diagram. It represents the sequence of messages by numbering the interactions. It removes the geometrical constraints on the objects and results in a more compact diagram. Then the sequence of message becomes more difficult to follow (Bruegge & Butoit, 2004).

The collaboration diagram is equivalent to the sequence diagram in the above:


State chart diagram
State chart diagram describes the dynamic behavior of an individual object in a number of states and transitions between these states. A state represents a particular set of values for an object. When a state is given, a transition will represents a future state of the object can move to and the conditions associated with the change of state (Bruegge & Butoit, 2004).

The state chart below for the SimpleWatch represents different information than the sequence diagram:


Activity diagram
Activity diagram describes the behavior of a system in term of activities. Activities are elements that represent the execution of a set of operations. The complete of these operations are trigger a transition to another activity. Activity diagram is like the flowchart diagrams that can be used to represent control flow (Bruegge & Butoit, 2004).

The activity diagram below represent the behavior in terms of activities and their precedence constraints. The completion of an activity triggers an output transition, which in turn may initiate another activity:


Component diagram
Component diagram depicts how components are linked together to form larger components and or software systems (Bruegge & Butoit, 2004).

The component diagram bellow is the WebServer component and its containing classes in it:


Deployment diagram
Deployment diagram is used to describe the relationship among run-time components and hardware nodes. Components are self-contained entities that provide services to other components or actors. Nodes are represented by boxes containing component icons in the Deployment diagram (Bruegge & Butoit, 2004).

The deployment diagram below represent the allocation of components to different nodes and the dependencies among components. The Web browsers on PCs and Macs can access a WebServer that provides information from a Database:


Reference

1. Bruegge, B. and Butoit, A. H. (2004), Object-oriented software engineering: using uml, patterns, and java, Prentice Hall.
   

Exercise 19: TP monitors and transaction protocols

1. Give a description in your own words of the ACID properties of a transaction.

ACID is combine with the words: Atomicity, Consistency, Isolation and Durability. ACID is properties sets that sure the database transactions work reliable. In the database architecture, a transaction is a single logical process or a set of sequential process to preform a task. For an example, transfer of funds from one bank account to another is called a transaction process. Although it might involve multiple individual operations in different bank accounts within the database (Wikipedia, N.A.).

Atomicity - the DBMS ensure either all of the tasks of a transaction are done or none of them.
Consistency - before start and over of a transaction, ensure the database remains in a consistent state.
Isolation - the data in an intermediate state during the transaction processing cannot be accessed or saw by other operations.
Durability - After the transaction have been done successful, that transaction will become persistent and not be undone.

2. Describe a TP monitor environment. How can a TP monitor stop an operating system being overwhelmed?

TP monitor provides an execution environment for resource managers and applications. TP monitor launches a server to perform the request, when requests arrive from local or remote clients. Before creating a server for a request, the TP monitor authorizes the client to the service. The client must be authenticated by the TP monitor as a particular person or group of persons. TP monitor also records the security check or security violation in an audit trail (Gray & Reuter, 1993). TP monitor handle two important processes (Ince, 2002):

• Manage the concurrent execution of threads and processes, ensure the ACID properties in a transaction
• Ensure the consistent update in a share update transcation of data when other transaction wsih to acces the shared data.

TP monitor does not replace the operating system completely, though that might be possible. The operating system can handle batch, time-sharing and communication. TP monitor trake care of online transaction processing (OLTP) and distributed transaction(Gray & Reuter, 1993).

3. What is difference in load balancing with traditional and transactional MOM, RPC and conversations?

Load balancing with traditional and transactional:
A load-balancing solution connects multiple servers work together, make them look like a single and high-powered network resource to those accessing the system. It does this by selectively forwarding connections to the many servers arrayed behind it in a equitable manner, according to the operational health of the server and the nature of the query (Intel, 2000).

The traditional load balancing solutions check the health of the server, in order to determine which machines are able to handle the incoming request. This can be traced either by testing the server with an artifical client, or by sending it a series of scripts that can try out critical pages and look at the responses. This simply responding to occasional health tests is no longer adequate for today's right content in a timely manner (Intel, 2000).

The transactional load-balancing (or transactional content awareness) solution monitor actual transactions on an ongoing basis. The more important the transaction,the more necessary it is that both parties involved are certain it has been completed. An automated teller machine (ATM) system, valuable exchanges of money and information, it is important to be sure that transactions have been completed properly. Load balancing must be transaction-aware (Intel 2000).

RPC and conversations:
Remote procedure call (RPC) is a interprocess communication technique. RPC allows communication between client and server software (Microsoft, 2000). The general communication of RPC is very simple and patterned like human conversation habits (HXP, 2004). RPC work in computers and use network for communication channel, but conversations are communication between people and use air for media channel.


RPC works over the Internet, Intranet and local host:


4. Why is a two-phase commit protocol better than a one-phase atomic commit protocol?

The two-phase commit (2PC) ensure that either all the databases are udpated or none of them (Webopedia, N.A.):

• 1st phase: requested changes of the database by a transaction are initially stored temporarily by each database. The transaction monitor and issues a pre-commit command to each database which requires an acknowledgment (Webopedia, N.A.). Voting phase which ensure that all sites are ready to commit (Veda & Mittal, 2004).
• 2nd phase: If the monitor receives the proper response from each database, the monitor issues the commit command. The commit command causes all database to simultaneously make the transaction permanent changes (Webopedia, N.A.). Decision phase which ensure uniformity at abort or commit at all sites (Veda & Mittal, 2004).

The one-phase commit (1PC) protocol overlaps the voting phase with the execution of transaction and just has a decision phase. The Implicit Yes Voting and the Coordinate Log are implemented in the 1PC protocol. 1PC can not the deferred consistency constraints (Veda & Mittal, 2004).

2PC is better than 1PC (Veda & Mittal, 2004):

• Ensures atomicity even in deferred constraints
• Ensures independent recovery of all sites
• As it takes place in 2 phases, it can handle network failures, disconnections and in their presence assure atomicity that 1PC cannot.
  

Reference

1. Gray, J. and Reuter, A. (1993), Transaction processing: concepts and techniques, Morgan Kaufmann Publishers, Inc.
2. HXP (2004), Rpc - remote procedure call, Healthcare Xchange Protocol, Retrieved at http://hxp.sourceforge.net/rpc.html on 29th April, 2009.
3. Ince, D. (2004), Developing distributed and e-commerce applications, 2nd edition, Addison-Wesley.
4. Intel (2000), Transactional load-balancing systems: delivering true server availability, Intel.
5. Microsoft (2000), Remote procedure call, Microsoft TechNet, Retrieved at http://technet.microsoft.com/en-us/library/cc958781.aspx on 29th April, 2009.
6. Veda, A. and Mittal, K. (2004), Project report: one and two phase commit protocols, Kanwal Rekhi School of Information Technology.
7. Webopedia (N.A.), Two-phase commit, Webopedia, Retrieved at http://www.webopedia.com/TERM/T/two_phase_commit.html on 29th April, 2009.
8. Wikipedia (N.A.), Acid, Wikipedia, Retrieved at http://en.wikipedia.org/wiki/ACID on 28th April, 2009.
   

Exercise 18: Threading demonstration in Python

A simple demonstration of the threading module in Python that uses both a lock and semaphore to control concurrency is by Ted Herman at the University of Iowa. The code and sample output below are worth a look. Report your findings.

I download the threaddemo.py from the CSU Website and run it in my Mac. Three samples result in my computer:

I ran the program for several times, the results are similar but different. The time taken for each running of the program are slightly different. The running time of 10 tasks thread are different by system generated randomly. The program only allow 3 tasks running concurrently. When a task completed, another task will start. The tasks running like a jobs queue in FIFO model.

Exercise 17: Concurrency terms

Find definitions for eight terms and concepts used in threaded programming:
1. Thread Synchronisation
2. Locks
3. Deadlock
4. Semaphores
5. Mutex (mutual exclusion)
6. Thread
7. Event
8. Waitable timer.

1. Thread Synchronisation
A thread may execute process with multipe objects, as well as multiple threads may attempt to execute processes that involve a single object. Thread synchronisation is a process by which threads interact to check the status of objects (Bak, 2000). In thread applications, synchroize individual threads with other parts of program is needed. The unstructured nature of multithreaded programming and the structured order of synchronous processing are compromised by Thread synchronisation (MSDN, N.A.).

2. Locks
An object may accesses by multiple threads, to prevent all but one thread from executing a process to an particular object. Locked is involves to allow only one thread is permitted to operate on that object. (Bak, 2000). Most server software provide two types of locks for optimize the locking process, they are read lock and write lock (Ince, 2002).

Flowchart of object locking (Bak, 2000):

• step 31: threaddetemines whether the object is locked
• step 33: current thread get exclusive access rights to the object
• step 34: the object was locked by current thread previously
• step 35: the object locking process stop
• step 37: the object was locked by other thread, the current thread waits for the object to be unlocked before continuing
  

3. Deadlock
Deadlock is two or more threads are waiting for one another to be finish (or unlock), but neither ever does. The threads may waiting for object lock in a circular chain. The object lock to guarantees exclusive access to processes. Deadlocks are a commonly troubling as there is no general solution to avoid (Wikipedia I, N.A.).

4. Semaphores
Semaphore is a protected variable or abstract data type which make up the method for limiting the access of sharing resources such as shared memory in a multiprogramming environment (Wikipedia II, N.A.).

5. Mutex (mutual exclusion)
Mutex is the short term for mutual exclusion. An object that allows multiple threads to share the same resource not at the same time is called mutex. When a program start, a mutex is generated with a unique name. Any thread that needs the resource of the object must lock the mutex from other threads while it is using the resource. The mutex is set to unlock state during the data is no longer needed or the process is finished (Webopedia, N.A.).

6. Thread
Thread is a sequential spread of control within a program. Each thread has its own execution stack where method activation reside. Threads can either be cooperative or concurrent running in a system (Bak, 2000). Threads also called lighweight processes and are likely to forking a process. As multiple threads of a process utilizes the same address space (all static and external data, open files are shared), can make parallel programming easier. Threads are used when need to protect shared resources or synchronise resources. Threads exist in modern operating systems software like UNIX, Microsoft Office (Eustace 2009).

7. Event
Event is the simplest mechanisms for communication between threads. If a thread signals an event and other threads will wait for it. An event object manages is an changeable internal flag (Python, 2005).

8. Waitable timer
Waitable timer is a synchronization object. Its state is set to signaled when a specified due time reach (Mischel, 2009).

Reference

1. Bak, L. (2000), Thread synchronization in a computer controlled by an object-based, Sun Microsystems, Inc.
2. Eustace, K. (2009), E-systems infrastruction development - itc594 study guide, CSU.
3. Ince, D. (2002), Developing distributed and e-commerce applications, 2nd edition, Addison-Weskey.
4. Mischel, J. (2009), Waitable timers in .net with c#, DevSource, Retrieved at http://www.devsource.com/c/a/Languages/Waitable-Timers-in-NET-CSharp/ on 28th April, 2009.
   
5. MSDN (N.A.), Thread synchronization, Microsoft, Retrieved at http://msdn.microsoft.com/en-us/library/dsw9f9ts.aspx on 28th April, 2009.
6. Python (2009), Python library reference - event objects, Python, Retrieved at http://www.python.org/doc/2.3.5/lib/event-objects.html on 28th April, 2009.
   
7. Webopedia (N.A.), Mutex, Webopedia, Retrieved at http://www.webopedia.com/TERM/M/mutex.htmlon 28th April, 2009.
   
8. Wikipedia I (N.A.), Deadlock, Wikipedia, Retrieved at http://en.wikipedia.org/wiki/Deadlock on 28th April, 2009.
9. Wikipedia II (N.A.), Semaphore (programming), Wilipedia, Retrieved at http://en.wikipedia.org/wiki/Semaphore_%28programming%29 on 28th April, 2009.
   

Exercise 16: Authentication and Encryption systems

1. Visit an e-commerce website and survey the mode of payment allowed. Would you trust the site with your business?

I want to the the ebay Web site at: http://www.ebay.com/. I tried to buy the Wii game console in it. If I confirm to buy that item, I need to PayPal account to process the payment.

PayPal is a payments gateway (or a payment middle man):

• Make secure purchases without revealing credit card number or financial information of the customer
• Pay quickly
• Shop using PayPal on eBay or thousands of merchants worldwide

PayPal (http://www.paypal.com) need to pay transaction fee for each payment.

I trust that site (ebay) with my business, as the payment are through the famous 3rd person and my financial information would not be exposed to the merchants.

2. What measures should e-commerce provide to create trust among their potential customers? What measures can be verified by the customer?

Trust of Internet shopping does not simply between the internet merchant and the customer, also between the consumer and the computer system through which transactions are executed. The quality of the product cannot be changed by the customer before making a purchase, or monitor the safety and security of sending personal sensitive information such as credit card numbers through the Internet to someone whose behaviors and motives may not easy to predict. The effectiveness of 3rd party trust-certification bodies such as TRUSTe or Verisign and public key encryption infrastructure for ensuring transactional security are significant success factors for Internet shopping (Lee & Turba, 2001).

Secuity of e-commerce can create trust, a security site should be (Josang & Tran, 2000):

• Authentication - provide proof of identity and prevent an attacker from masking as a real user.
  
• Non-repudiation - provide proof of expedition or receipt
  
• Confidentiality - ensure that only legitimate users can read message
  
• Integrity - ensure that illegitimate modification, deletion, creation or replay of digital messages.
• Availability - ensure that an application is not break up by illegitimate actions
  

Serveral important security services such as non-repudiation and authentication are based on Public-key cryptography. It also an essential building of SSL (Secure Sockets Layer) that is used for securing Web communication (Josang & Tran, 2000). The are important in Web security, and build up trust between the merchants and customers.

Trust for e-commerce has four main components (Patton & Josang, 2002):

1. Affecting trust before the site is accessed: brand reputation, previous off-line experiences with the merchant, differences between individuals in their general propensity to trust
2. Interface properties: graphic design and layout, content organization and usability
3. Informational content: information the merchant provides about products and services, privacy policies and privacy practices
4. Relationship management: post-purchase communication and customer service

Trust is based on experience from time to time, establishing initial trust could be the major challenge to new customer in e-commerce. Without such initial trust, merchants cannot build a good transaction history. Merchants can 'buy' trust though advertising said by (Patton & Josang, 2002). The above trust components can be verified by the customer.

3. Visit the Verisign web site - what solutions does it offer for e-commerce?

I visit the Verisign at: http://www.verisign.com/. Verisign provides the Consumer Products and Retail Solutions for e-commerce. The VeriSign Identity Protection (VIP) provides authentication and transparent fraud detection from a trusted provider protects online transactions without slowing transactions.

4. Visit the TRUSTe web site. Describe what services and solutions are offered.

I visit the TRUSTe web site at: http://www.truste.com/. TRUSTe helps Web sites to build customer confidence to work, play and shop online. TRUSTe provides service to proof Web site strict privacy principles, and who strive to treat customer information with the utmost respect. If the Web sites meet their requirements, they will have a TRUSTe Web Privacy Seal.

5. Get the latest PGP software from http://web.mit.edu/network/pgp.html; install it on two machines and encrypt a message on one machine and decrypt it on the other. Report your findings.

The PGP software was no longer distributed by MIT:


The PGP software can be download at:
http://www.pgp.com/downloads/desktoptrial/desktoptrial2.html
or
http://www.pcworld.com/downloads/file/fid,3178;order,1;page,1;c,All%20Downloads/description.html

The PGP encrypts files with recipient's public key or sender's private key. When recipient receive the encrypted file, the recipient can decrypts the file with his own private key or sender's public key. The recipient can use the PGP software to check the integrity of the encrypted file to ensure that the file have not be altered by other.

PGP is Pretty Good Privacy provides cryptographic privacy and authentication. PGP are commonly used for signing, encrypting and decrypting files for email. PGP encryption uses the Public Key Infrastructure (PKI).

Encrypts files output to test.pgp:



Verifies file integrity and decrypts the test.pgp file, then unzip the files into the Test folder:


6. The use of digital certificates and passports are just two examples of many tools for validating legitimate users and avoiding consequences such as identity theft. What others exist?

Legitimate users validation:

• by user name or login ID, and password. Commonly use in most systems
  
• by personal card and password. Example: use of automated teller machine (ATM) card by bank
  
• Fingerprint recognize system. Example: use in door lock, computer system login.
  
• Iris recognize system. Example: use in door lock
  

Reference

1. Josang, A. and Tran, N (2000), Trust management for e-commerce, Virtual Banking 2000.
   
2. Lee, M.K.O and Turba, E. (2001), A trust model for consumer internet shopping, International Journal of Electronic Commerce, 75-91(6).
3. Patton, M. A. and Josang, A. (2002), Technologies for trust in electronic commerce, Kluwer Academic Publisher, Electronic Commerce Research 4, 9-21.
   

Exercise 15: Protecting and archiving data

1. What makes a firewall a good security investment? Accessing the Internet, find two or three firewall vendors. Do they provide hardware, software or both?

Firewall is a device that protects data on systems and the computer system themselves. Firewall provides a controll point of entry into and out of computer system (internal network). Computer system may a very large investment for a company. Firewall help to minimize the chance of needed repairs for an intrusive attack from outside (such as Internet). Firewall is a safegruad which protect (Zalenski, 2002):

• Data integrity - Data needs to be protected from any unwarranted changed
• Availability - Data needs to be accessible when needed
  
• Secrecy - Data privacy needs to be secured when applicable

If the system of a company is attacked by malicious intrusion, the ability of the system may decrease or halted. This inability may infect deliver as promised, and can damage the integrity of the company. The revenues of the company may be hurted (Zalenski, 2002). Those make firewall become a good investment.

Firewall Vendors:

• Check Point - http://www.checkpoint.com, provides integrated appliance solutions (Security Gateways) for both hardware and software
  
• SonicWALL - http://www.sonicwall.com, provides both hardware and software firewall products
• Juniper Networks - http://www.juniper.net, provides both hardware and software integrating firewall called NetScreen.

2. Find out if your university or workplace has a backup policy in place. Is it followed and enforced?

My company has the backup policy:

• Critical data should be backed up
• Backup data should be stored at a location that is physically different from its original creation and usage location
• The ability to retrieve and restore backup data should produce successful results. The verification through restoration from backed-up data, should be performed on a regular basis
• Procedures for backing up critical data and testing of the procedures should be documented.

We almost follow the above policy in our daily backup:

• We backup application's data, user's data and users' e-mail daily
• Write down the daily backup status in the log book
• Store the backup tapes in China's office
• Restore the backup files from tape monthly for verification
  

3. Most of the antivirus software perform an active scanning of the user activity on the Internet, detecting downloads and attachments in e-mails. Hackers have readily available resources to create new viruses. How easy is it to find a virus writing kit? Search the Internet and find such a tool. For example, see what you can find at http://vx.netlux.org/dat/vct.shtml.

I search the 'virus writing kit' in Yahoo. The result of it:


There are many documents in the internet talking about virus writing kits. They said that the virus writing are easy be downloaded from the Internet like (Szor, 2005):

• VCS (Virus Construction Set) - the first virus generator written in 1990.
• GenVir - released as a shareware in France by J. Struss in 1990-1991.
• VCL (Virus Creation Laboratory) - was written in US in 1992.
• PS-MPC (Phalcon-Skism Mass-Produced Code Gemnerator) - was created in 1992 in US by Dark Angel.
• NGVCK (Next Generation Virus Creation Kit) - introduced in 2001 by SnakeByte
• Amateurs - over 150 kits and code mutators are available, in 1996 such tools become extremely popular
  

Example of Virus Generator Kits:


Reference

1. Zalenski, R. (2002), Firewal technologies, Potentials, IEEE, 24-29.
2. Szor, P. (2005), Advanced code evolution techniques and computer virus generator kits, informIT network, Retreived at https://www.informit.com/articles/article.aspx?p=366890&seqNum=7 on 27th April, 2009.
   

Exercise 14: Electronic payments and security II

1. What are cookies and how are they used to improve security?

As HTTP is stateless, it does not support the browser and server interact continuity. Cookies were produced to maintain continuity and state on the Web. Cookies contain a character strings which encoding relevant information about the user. Cookies are sent to the hard disk of the user or RAM through the browser during the user visists a website that using cookies. The Web server get the user's information from their cookies when the user returns later (Park & Sandhu 2000).

Cookies are used for authenticating, session tracking or state maintenance and maintaining users' specific information. Cookies allow the server to recognize that the user is already authenticated, then user can access services or perform operations that only allow logged in user (Wikipedia 2009).

2. Can the use of cookies be a security risk?

Web server could user a cookie to store user's name and credit card numbers. Although this is convenient for users, it would also a risk. As the cookies are stored and transmitted in text, they are readable by others (Park & Sandhu 2000).

Typical cookies on the Web (Park & Sandhu 2000):


All cookies are fundamentally similar in the above format. 'Domain' is the host or domain name where the cookie is valid. 'Flag' is used to specifies whether or not all machines within a given domain can access the information of the cookies. If the 'Secure' flag is on, the cookie will be transmitted only over secure communications channels such as SSL. There has a secure problem that a Web server can update contents of the cookies whenever the user visists the server. The validation is not important for cookie-issuer, as any Web server can issue cookies for other Web servers. Security risk to cookies (Park & Sandhu 2000):

• Network risk - cookies transmitted in clear text in the network, can be capture or modify by others
  
• end-system risk - cookies exist in the browser's end-system, it stores on the hard drive or memory in clear text. Those contents could be altered by users eaily
  
• cookie-harvesting - if cookies are collected by an attacker from users who accept cookies, the attacker can later use those harvested cookies for all other sites accepting them.
  

Reference

1. Park, J.S. and Sandhu, R. (2000), Secure cookies on the web, Internet Computing, IEEE, 36-44(4).
2. Wikipedia (2009), HTTP cookie, Retrieved at http://en.wikipedia.org/wiki/HTTP_cookie on 24th April, 2009
   

Exercise 13: Electronic payments and security I

1. List and describe your experiences with a secure Web site. Some examples may be:

• University enrolment
• online banking, auctions, real estate;
• booking a cheap air ticket or concert ticket;
• shopping online for a book, software or a CD.
  

I always do my banking transactions in an online banking Web site at http://www.hsbc.com.hk. Before doing the banking transactions, I need to log on the site with my user name, password and a instant security code that generated by a security device. The security device is small enough for me to carry to anywhere. The instant security code must be used not longer than 60 seconds. After 60 seconds not used, I must regenerate another security code. After I log on the site, I will redirect into a SSL security Web page to process my banking transactions. If I need to transfer money to other bank accounts that not owned by me, I will be asked to key in a instant security code again. Although Web security are not 100% secure, it is a well secure Web site and make me feel confident in doing my banking transaction.

2. What is SET and how does it compare to SSL as a platform for secure electronic transaction? Is SET in common use?

Secure Electronic Transaction (SET) is a standard protocol for credit card transactions over public networks in secure. SET is a security protocols and formats that let users capable to employ the existing credit card payment, not a payment system (Wikipedia 2009). SET uses hashing algorithm to sign a transaction message with the sender's public key and decrypt by the private key. The authenticity of the transaction can be verified in both merchants and customers with their own digital signatures (Wiley & Sons 1996).

SET purchase involves three parties. They are customer (cardholder), merchant and payment gateway. But now people pays for online purchases by sending their credit card details direct to the merchant . They use Secure Sockets Layer (SSL) protocol to encrypt the card details in the Internet, but it does nothing to protect the merchants or customers for dishonest. Although SSL is less protect for both merchant and customer, SSL is commonly used in the Internet for less cost and more convenient (Wikipedia 2009) compare with SET.

But SET cannot win the market share with the following reasons (Wikipedia 2009):

• Client need to install software (e-wallet)
• Higher cost and more complex in the support of merchants compare with the alternative solution of SSL
• Cost of distribution of client-side certificate
  

Reference

1. Wikipedia (2009), Secure Electronic Transaction, Retrieved at http://en.wikipedia.org/wiki/Secure_electronic_transaction on 24th April, 2009.
2. Wiley, J. and Sons (1996), Secure electronic transactions : an overview, Schneier, Bruce. Applied Cryptography, Retrieved at http://www.davidreilly.com/topics/electronic_commerce/essays/secure_electronic_transactions.html on 24th April, 2009.

Exercise 12: Designing for a secure framework

1. Find out about SET and the use of RSA 128-bit encryption for e-commerce.

SET is Secure Electronic Transaction protocol which has been developed by Visa and MasterCard. SET is a security method in payment card transactions over open networks. It is highly interested by the industrial (Lu & Smolka 1999). SET is an open protocol and standard for protecting the privacy, which ensuring the authenticity of the electronic transaction (Wiley & Sons 1996). They also said that SET protocol consist of two different encrytion mechanisms. SET uses sysmmetric encryption, in the form of the aging DES (Data Encryption Standard), and uses asymmetric (public key) encrytion to transmit session keys for DES transactions. SET simple uses 56 bits session keys which are transmitted asymmetrically. As the public key cryptography is only used to encrypt DES keys and for authentication, and not for the main body of the transaction to save computational cost.

Authentication is important in e-commerce for both merchants and consumer. Authentication is achieved through the use of digital signatures in SET. SET uses hashing algorithm to sign a transaction message with the sender's public key, and the authenticity of the transaction can be verified (Wiley & Sons 1996).

Two encryption algorithms are used in the SET protocol. They are DES and RSA. The DES algorithm has been used since year 1970 (Wiley & Sons 1996). RSA is the first great advances algorithm for public key cryptography, and widely used in e-commerce protocols. RSA provides a secure and sufficient log keys for the use of up-to-date implementations. RSA was publicly described in 1977 by Ron Rivest, Adi Shamir and Leonard Adlenan. RSA are the initails of their surnames. RSA is a asymmetric encrytion which consist of public key and private key (Wikipedia 2009).

2.What can you find out about network and host-based intrusion detection systems?

An intrusion detection system (IDS) is used to monitor all inbound and outbound activity in the network, and recognizes suspicious patterns that may indicate a system or network attack from someone who attempting to break into or compromise the system. IDS could be categorized into (Webopedia 2002):

• Misuse detection vs anomaly detection
• Network-based vs host-based system
• Passive system vs reactive system
  

In a network-based intrusion detection system (NIDS), all individual packets that pass through the network are analyzed by NIDS. The malicious packets which overlooked by simplistic filtering rules of the firewall can be detected by NIDS. In a host-based system, the IDS analyze the activity on each individual computer or host (Webopedia 2002).

3.What is ‘phishing’?

Phishing is an action of sending e-mail to a user falsely claiming that come from a legitimate enterprise, in attempt to scam the user to provide private information. The e-mail may directs the user to visit a Web site that ask to update his personal information such as passwords and credit card, social security and bank account numbers. The Web site is bogus and set up for stealing user's information (Webopedia 2008).

Reference

1. Lu, S. and Smolka, S. A. (1999), Model checking the secure electronic transaction (set) protocol, Dept. of Comput. Sci., State Univ. of New York, Stony Brook, NY, 358-368.
2. Wiley, J. and Sons (1996), Secure electronic transactions : an overview, Schneier, Bruce. Applied Cryptography, Retrieved at http://www.davidreilly.com/topics/electronic_commerce/essays/secure_electronic_transactions.html on 23rd April, 2009.
3. Wikipedia (2009), RSA, Retrieved at http://en.wikipedia.org/wiki/RSA on 23rd April, 2009.
4. Webopedia (2002), intrusion detection system, Retrieved at http://www.webopedia.com/TERM/I/intrusion_detection_system.html on 23rd April, 2009.
5. Webopedia (2008), phishing, Retrieved at http://www.webopedia.com/TERM/p/phishing.html on 23rd April, 2009.
   

Workshop 5: Admiring the secenery Forms, AJAX screen layout and and mobile interfraces: Part C Screen layouts and forms processing:

1. Create a new application called cabs in the same projects directory to demonstrate the use of an active view.

> rails cabs
> cd cabs

Result in my computer:


2. Create a controller called Vehicle in cabs\app\controllers cabs> ruby script/generate controller Vehicle

Result in my computer:


3. Add an action to vehicle_controller.rb as the method called cabtype

class VehicleController < ApplicationController
def cabtype
end
end

Result in my computer:


4. Add a view template - cabs\app\views\vehicle\cabtype.rhtml We will edit this view in later steps but you may like to add your own test HTML code to the view at this stage.

I copy the breathe.rb from the above animal application into scenery\app\views\demo and rename the file to cabtype.rb

5. Save the view and restart the Web server and navigate to http://localhost:3000/cabs/cabtype

Result in my computer:


I change the navigate to http://localhost:3000/vehicle/cabtype, the result is OK now:


6. Create a file in the public directory - \cabs\public called input.html

I had created a file in the public folder (\cabs\public) called input.html

7. Edit the vehicle_controller.rb here is a start. The data in each form element in the Rails application can be accessed via its name and a hash called params

class VehicleController < ApplicationController
def cabtype
@data1 = params[:text1]
@data2 = params[:check1]
@data3 = params[:radios1]
@data4 = params[:building1]
end
end

The vehicle_controller.rb in my computer:


8. Edit the view template cabtype.rhtml

The cabtype.rhtml in my computer:


9. Start the Web server and go to the opening page of this application at http://localhost:3000/input.html

Result in my computer:


10. Submit the forms data. What do you find?

When I submit the forms with the data that provided, the current Web page are redirected from input.html to vehicle (call the vehicle controller to display the user input). But an error page return. The error occur in the action controller for invalid authenticity token. In the error page, list out the parameter that I had input.

Result in my computer:

Workshop 5: Admiring the secenery Forms, AJAX screen layout and and mobile interfraces: Part B The active view:

1. Create a new application called scenery in the same projects directory to demonstrate the use of an active view.

> rails scenery
> cd scenery

Result in my computer:


2. Create a controller called Demo in scenery\app\controllers scenery> ruby script/generate controller Demo

Result in my computer:


3. Add an action to demo_controller.rb as the method called rubycode

class DemoController < ApplicationController
def rubycode
end
end

The method called rubycode is added into demo_controller.rb:


4. Add a view template - scenery\app\views\demo\rubycode.rhtml We will edit this view in later steps but you may like to add your own test HTML code to the view at this stage.

I copy the breathe.rb from the above animal application into scenery\app\views\demo and rename the file to rubycode.rb

5. Save and restart the Web server and navigate to http://localhost:3000/scenery/rubycode

Result in my computer:


I change the navigate to http://localhost:3000/demo/rubycode, the result is OK now:


6. Use the Time.now example to pass data from an action to a view.

I change rubycode.rb in the scenery\app\views\demo:


Result in the Web browser:


7. Modify and save the rubycode action with a value for the time instance variable in the DemoController class in app\controllers\demo_controller.rb

class DemoController < ApplicationController
def rubycode
@time_now = Time.now
end
end

The demo_controller.rb in my computer:


8. Then modify and save the corresponding view template in \app\views\demo\rubycode.rhtml by adding a call by reference to the action’s instance variable: The time is <%= @time.now %>

The rubycode.rhtml in my computer:
AS the error occur, I change the statement into:
The time is <%= @time_now %>


9. Restart the Web server and navigate the browser to http://localhost:3000/demo/rubycode

The instance variable time_now are passing successfully from the Ruby class to the view templates by reference. Result in my computer:

Workshop 5: Admiring the secenery Forms, AJAX screen layout and and mobile interfraces: Part A Viewing the action:

1. Create the Rails application framework in the projects folder: C:\InstantRails\...\projects\>rails animals

I create the application framework into the folder named Sites in my Mac:


2. Running the application on localhost:3000 using the WeBrick ruby server (or Mongrel as alternative) and access via Web browser at http://localhost:3000/

I go into the folder that created in the above, then run the command "ruby script/server" to start the Web server.


The Web browser at http://locathost:3000/


3. Create the controller to make the application do an action. This is under the controller-action/model-view structure.

Stop the WEBrick server each time you edit Ruby classes and then re-start or refresh the views you are testing. Use the Ruby command below:

>ruby script/generate controller Mammal

Result in my computer:


The mammal_controller.rb contains just a bare class description:
class MammalController < ApplicationController
end

Result in my computer:


and the ApplicationController class inherits from ActionController::Base class in the ActionController module under Rails.

Result in my computer:



4. Test the controller by starting the WEBrick server and navaigatibng the browser to http://localhost:3000/mammal Note how the controller name is appended to the end of the URL and that no action resulted because there are no controller methods.

Result in my computer:


5. Create an action by editing and saving the mammal_controller.rb class in projects\animals\app\controllers using your text editor to add the method below:

class MammalController < ApplicationController
def breathe
end
end

The mammal_controller.rb in my computer:


6. Start the WEBrick server and browse at http://localhost:3000/mammals/breathe where you will get a “missing template” message since it is missing a view for the breathe method. Rails is trying to connect the breathe method action of the mammal controller to a view, by using the action’s name – breathe. This view template is created as breathe.rhtml and stored in the \projects\animals\views\mammal directory.

Result in my computer:


7. Create and save a view in that directory by using a text editor to create a view called breathe.rhtml

Result in my computer:


8. Try Ruby code and HTML in the action view by using the <%....%> wrapper around the inserted Ruby code. Here are some snippets to try from workshop 4:

I modify the breathe.rhtml:


Result in my computer: